Hi Optiv,

Love the tool. I notice that a lot of oldr versions of word are x86running on x64. I know not a lot of people write wow64 shellcode nowdays but it would be great to add it in as an optional

ie if x86 on 86 then x86 shellcode

if x64 on x64 then x64 shellcode

if x86 on x64 then wow64 shellcode

Thanks

I encountered this error

/Ivy -Ix64 /home/nanite/misc/Ivy/loaderx64.bin -Ix86 /home/nanite/misc/Ivy/loaderx86.bin -P Inject -delivery hta -process32 C:\windows\Syswow\cmd.exe -processx64 C:\windows\system32\cmd.exe -O hta

Ivy doesnt give me an output

As above, tried several combinations to generate but getting the same error. bin is from CS, thanks!

┌──(snake㉿kali)-[~/Tools/Ivy]
└─$ ./Ivy_1.11 -stageless -Ix64 stageless64.bin -Ix86 stageless32.bin -P Local -O stageless.js

 ___   ___      ___  ___    ___ 
|\  \ |\  \    /  /||\  \  /  /|
\ \  \\ \  \  /  / /\ \  \/  / /
 \ \  \\ \  \/  / /  \ \    / / 
  \ \  \\ \    / /    \/  /  /  
   \ \__\\ \__/ /   __/  / /    
    \|__| \|__|/   |\___/ /     
                   \|___|/   
                   (@Tyl0us)

The suffering. The pain. Can't you hear them?
Their cries for mercy?

2022/01/30 02:15:48 Error: Invalid delivery command option, please choose one of the acceptable options

┌──(snake㉿kali)-[~/Tools/Ivy]
└─$ ./Ivy_1.01 -stageless -Ix64 stageless64.bin -Ix86 stageless32.bin -P Local -O stageless.js 1 ⨯

 ___   ___      ___  ___    ___ 
|\  \ |\  \    /  /||\  \  /  /|
\ \  \\ \  \  /  / /\ \  \/  / /
 \ \  \\ \  \/  / /  \ \    / / 
  \ \  \\ \    / /    \/  /  /  
   \ \__\\ \__/ /   __/  / /    
    \|__| \|__|/   |\___/ /     
                   \|___|/   
                   (@Tyl0us)

The suffering. The pain. Can't you hear them?
Their cries for mercy?

[] Generating Implant
[!] Stageless Shellcode Selected
[] Local Mode Selected
[] Implant Encrypted
[] Generating Loader
[+] Loader File Generated: stageless.js
[*] Remember the systems targeted need to have Office installed in order to work

there us an error in compiling Ivy on Kali Linux
see the screenshot beloow:

.\Ivy.exe -Ix86 .\ItWorks.bin -Ix64 .\ItWorks.bin -stageless -debug -product PowerPoint -P Local -O test3.js

[DEBUG] Reading payload file .\ItWorks.bin [DEBUG] Reading payload file .\ItWorks.bin [*] Generating Implant [DEBUG] JAVA CODE SNIPPET COMPLETED [!] Stageless Shellcode Selected [*] Local Mode Selected [DEBUG] LOCAL SPAWNING CODE SNIPPET COMPLETED [*] Implant Encrypted [*] Generating Loader [DEBUG] DECODER STARTER SNIPPET COMPLETED [DEBUG] DECODER FUNCTION SNIPPET COMPLETED [DEBUG] LAUCHER SNIPPET COMPLETED [+] Loader File Generated: test3.js [*] Remember the systems targeted need to have Office installed in order to work

The version variable value shows , which in this case it isn't taking the ActiveXObject above and placing it like the other instances i've created. So far I've only noticed with doing a local with PowerPoint.

Stupid question, what is the format of shell code required 0x00,0x00 /x00/x00 etc ?

Hi!
The description of your tool does not clearly state what kind of payload should passed to the -Ix64/32 parameters. Is it msfvenom -f raw output, c code, vba code, PowerShell code?
Please clarify.
Thanks!

Hello,
The Random in generated script for variables isn't working as tout can see on this screen :

./Ivy -Ix64 payload.vba -P Inject -sandbox -O 1 ，after execution，A file without suffix will be generated. After changing the suffix xls, it cannot go online.

Hey,

When trying a number of the example commands including:

Ivy -stageless -Ix64 stageless64.bin -Ix86 stageless32.bin -P Inject -process64 C:\\windows\\system32\\notepad.exe -process32 C:\\windows\\SysWOW64\\notepad.exe -O stageless.js

I get the error:

panic: strings: negative Repeat count

goroutine 1 [running]:
strings.Repeat(0x569f21, 0x4, 0xffffffffffffffff, 0xc00007ed78, 0x40971b)
	/usr/lib/go-1.13/src/strings/strings.go:533 +0x5aa
github.com/optiv/Ivy/Cryptor.StagelessArrayGen(0x0, 0x0, 0x0, 0x0, 0x0)
	/home/jabo/go/src/github.com/optiv/Ivy/Cryptor/Cryptor.go:84 +0x48
main.main()
	/home/jabo/go/src/github.com/optiv/Ivy/Ivy.go:128 +0xbc8

I'm running v1.12 on Ubuntu 20.04.3 LTS with the dependencies installed per your instructions.

After executing go build Ivy.go
It says: Operation did not complete successfully because the file contains a virus or potentially unwanted software.

I am sorry that I cannot open the xxx. XLS file because there is something wrong with the content. What should I do

I downloaded both tarball and zip file. There is only LICENSE inside it. I'm doing debian packaging for this tool to push it on Parrot's repository. I hope you can fix it soon. Thank you :)

The image above shows command output from tool when building payload. Tool version is current build as of today for IVY 1.12 and CS (CobaltStrike 4.7.1).

Stageless payload from CS is "Windows Stageless Payload"->RAW (also tried Stageless Payload Generator->raw)

Here is what was observed:

• macro payload in excel appears to execute without visible errors (even when cscript is run on test.txt in the appdata excel path)
• test.txt is pulled down from local py webserver, no issues.
• outlook.exe spawns -> cscript.exe (with F://jscript .... args) which spawns -> excel.exe
• No call back attempt from macro :( verified via FW log and c2 server.

Troubleshooting done so far:

• CS c2 profile validated to call home via stageless windows exe. no UDRL in play. not even sleepmask. No CNA's. No kits.
• Run w/ -debug command
• Tried without -unhook command as well. no change.
• No IPS no egress filtering in play

My Current Theory:

• Maybe c2 profile has wonky settings not tested with tool? Have you had issues with custom mall c2 profile and tool? (just came to me)
• struct.go exec issue for macro?
• shellcode file doesnt make its way into payload (but size of b64 blob in test.txt makes me think it does)
• Shellcode exec call not working

Any help would be great.

Hi using delivery method as macro errors out.I think there is some problem with clsid which is being used in the macro to run the cscript command

Hello!

About -O option! Delivery option is macro, output should be generated in which format?

root@vps159125:/opt/Ivy# ./Ivy -Ix64 x64.bin -Ix86 x86.bin -P Local -delivery macro -product Word -sandbox

 ___   ___      ___  ___    ___
|\  \ |\  \    /  /||\  \  /  /|
\ \  \\ \  \  /  / /\ \  \/  / /
 \ \  \\ \  \/  / /  \ \    / /
  \ \  \\ \    / /    \/  /  /
   \ \__\\ \__/ /   __/  / /
    \|__| \|__|/   |\___/ /
                   \|___|/
                   (@Tyl0us)

The suffering. The pain. Can't you hear them?
Their cries for mercy?

2022/01/22 10:37:31 Error: Please provide a name for the payload the you wish to generate
root@vps159125:/opt/Ivy#

___   ___      ___  ___    ___
|\  \ |\  \    /  /||\  \  /  /|
\ \  \\ \  \  /  / /\ \  \/  / /
 \ \  \\ \  \/  / /  \ \    / /
  \ \  \\ \    / /    \/  /  /
   \ \__\\ \__/ /   __/  / /
    \|__| \|__|/   |\___/ /
                   \|___|/
                   (@Tyl0us)

The suffering. The pain. Can't you hear them?
Their cries for mercy?
Error : Invalid paylod typ

As captioned, was doing local injection and found that EXCEL and Wscript are not terminated after exit in CS, is it intended? Thanks!

github.com/optiv/Ivy/Loader

/home/kali/Desktop/Ivy/Struct/Struct.go:444: error: invalid export data for ‘Macro’: invalid line number
/home/kali/Desktop/Ivy/Struct/Struct.go:443: error: invalid export data for ‘Macro’: invalid line number

Can you please assist?